Memo to IT security: Think globally, act immediately

LAS VEGAS'IT security is more complicated than packets, bytes and bits, a former White House adviser told security experts gathered this week for the Black Hat Briefings conference.

The economic, political and possibly even military consequences of a cyberattack extend beyond its immediate impact on networks and systems, said Bryan Cunningham, now a principal at the Denver law firm Morgan & Cunningham. In a worst-case scenario, a cyberattack launched against another country by a third party from compromised computers inside the United States could be construed as an act of war on the part of the United States.

"We could be backed into a real shooting war, theoretically," Cunningham said.

He added that the likelihood of such an event probably is not great.

"I don't want to create a sense of panic or say this is likely to happen," Cunningham continued. But other countries have acknowledged they are developing cyberwarfare capabilities, and terrorist groups have demonstrated an interest in acquiring these skills. "Knowing this, you have to start assuming it can happen. You need to hope for the best but plan for the worst."

Planning for the worst was part of Cunningham's job as a CIA officer and deputy legal adviser to the National Security Council for more than two years under Condoleezza Rice. He drafted portions of the Homeland Security Act ' "the good parts," he says ' and contributed to the 2003 National Strategy to Secure Cyberspace. He said the government is taking the threat of cyberwarfare seriously.

Because restrictions on law-enforcement activity within the country and across its borders could hamper a response to cyberattacks against U.S. computers, the administration has adopted the policy that cyberattacks are not a law-enforcement issue.

This is spelled out on Page 65 in the National Strategy, which says, "When a nation, terrorist group or other adversary attacks the United States through cyberspace, the U.S. response need not be limited to criminal prosecution. The United States reserves the right to respond in an appropriate manner."

This opens the way for the commander in chief to bring national-security forces, including the military, to bear against cyberthreats.

Despite its importance to national security, most of the nation's IT infrastructure is owned and controlled by the private sector. Commercial IT security decisions usually are based on business considerations rather than on national-security concerns.

If the level of IT security does not improve, the private sector faces the possibility that security decisions will be made for them by the government, Cunningham warned. This is a step that the administration so far has been reluctant to take, preferring to let market demands drive security. But that could be changing.

"The government, historically, has not been very good at detailed regulation of things like information security," he said. "But I think we're fairly close to the tipping point now."

One area where legislation is likely soon is identity theft. Because of growing concern about the loss of sensitive personal data held by government and by companies, Cunningham predicted that federal legislation comparable to California Senate Bill 1386, the Database Security Breach Notification Act would be passed this year to require disclosure when personal data has been compromised. Several such bills have been introduced in Congress.

Cunningham is not alone in this belief. Chas Phillips, policy counsel for the House Government Reform Committee, said recently that it is becoming politically difficult to oppose such legislation.

"I think you're going to see action on it sometime in this Congress," Phillips said at a conference in Washington.

Eventually, regulations such as the Health Information Portability and Accountability Act and the Gramm-Leach-Bliley Act probably will be applied across the board to most types of information held by any organization, Cunningham said.

Such regulations so far have been technology-neutral, as Congress has been reluctant to specify what tools should be used to meet regulatory requirements. Cunningham said he does not expect Congress to begin writing technical specifications into its legislation soon. But if a serious national-security breach occurs, all bets could be off and organizations could find themselves facing technology checklists in government regulations, he said.